Blogs

AppScan Tricks And Tools

ACERCA DE ESTE BLOG

Forum for those Learning about Leading IBM Application Security Tricks, Scripts and Tools and Kits for AppScan Source for Analysis ...Customizing, Integrating, Sniffing, Snooping and Hijacking your way to joy.

Etiquetas

Following my previous venture, more
accurately 'wander', into Extending WAFL - ASP.NET MVC and a very
cool, tangential trip off into Continuous Integration Land , I'm now
re-gaining focus on using the AppScan Source Framework-4-Frameworks
(F4F) APIs to write support for handling the ASP.NET MVC 3.0 framework.
As detailed in this post by Dinis Cruz: AspNet Support In Sast And IBM-F4F There are several, non-trivial, pieces to constructing
the full data flow picture of a modern MVC application and ASP.NET
MVC 3.0 contains a particular... [More]

** Re-posting this entry from the Message Board **
IBM Security Systems Has All The Artillery To Dominate the Security Battlefield It just needs to be deployed properly.. → Some factors that may explain the current state of the application security maturity [extremely low]: Development organizations
continue to lack the necessary security training and processes to
translate 'security requirements' into a secure design with
appropriate unit tests.
The intense pace development of
new technologies and migration of... [More]

Given that I've been adhering more and more to what has become the leading edge of a communication paradigm shift, which I'll talk the liberty of terming HyperLink It Or Lose It , below is a response I wrote to an email with some appreciated positive encouragement which I received from one of the innovators behind the technologies that I've been using in my latest investigations. Hi, Many thanks
for the positive feedback! I'm going to assume that you're the only one that
replied to this email simply because no one else could put into... [More]

Recently, I've heard from several AppScan users that it's not entirely obvious how to "Publish" results from either AppScan Source Edition or AppScan Standard Edition to the AppScan Enterprise Console where both sets of results can be viewed, reported on and otherwise managed. I would agree that [correct] information was difficult to obtain so I did my own short investigation and found [brute forced] the answers which I thought I would share: Below are the screenshots of the configuration which yielded successful connections:... [More]

&amp;lt;!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
--&amp;gt; Below is a link to an updated Web
Application Framework Langauge Viewer:
WAFL Viewer v0.7 I updated this version with a partial
mapping of Synthetic Methods - only the Synthetic itself and the Type
of the first argument in the Callback are exposed accurately. This was done in
order to gain some understanding of the translation of the use of
the high level F4F API methods, especially addTaintedCallback(), into
the actual WAFL xml elements. Using... [More]

After the relatively successful F4F expedition into Mapping The MVC-3.0 Controllers , where we generated Tainted Callbacks for each of the Controllers found, in effect simulating calls WITH user-controllable or Tainted data. With this skeleton of the application sketched out, we will now need to tie these to the appropriate Views and Models according to the MVC 3.0 Framework Lifecycle. A seemingly sensible plan to generate the analysis components necessary consists of the following steps: a) identify the Models used by each controller b) map... [More]

One of the main
advantages of having a full Continuous Integration environment
integrated with the security scanning tools, all running together on
a central server (pronounced “Mainframe”) is the ability for
customization to take place, such as the initial phase of Support
for ASP.NET MVC 3.0 , and immediately be made available to the
entire enterprise.
In this scenario,
a key aspect to take into consideration is the fact that the product
integration, installation of the development / run time
environments and SDKs, as well as the... [More]

To illustrate a real world
application for the technique described in Application Injection, we
are going to use the O2 REPL functionality to modify the running
process, in real-time, to add a Source Edition Results Plug-in to
AppScan Standard.
The resulting prototype is a way to
display and map Static and Dynamic Analysis results for a given
application that allows for a very interesting perspective - one that
highlights the strengths and weaknesses of both technologies and
allows for a deeper and more accurate investigation.
... [More]

Getting back to the task of adding
support for the ASP.NET MVC framework and following the advice of the
architects of the language:
“ Details
of writing and deploying an F4F handler that uses the F4F high-level
APIs are described in the AppScan Source document
Security_AppScan_Source_Utilities.pdf shipped with the product. See
Chapt. 7. “ Hence it seems that we shall create a
new F4F Handler (also known around town as a 'WAFL Generator') –
which is the mechanism by which the .wafl files are created during
each scan for use by... [More]

Last Episode: After having configured
our Continuous Integration platform, Team City, and integrating GitHub
as both the source code control system as well as the eventual build and scanning
artifact repository, we were able to properly trigger an Ant build of a
simple application by committing (or 'pushing' in Git terminology) the application and it's build files to
a predetermined public repository.
Here And Now: Our Prototype-tagonists are tasked with the integration of AppScan Source Scanning into the environment. By either adding... [More]

As detailed in my previous post The AppScan Appliance - Design and Architecture I noted several components that I consider crucial steps in the
development of the AppScan Appliance Proof of Concept. One of the
first major milestones will be the creation of a web-based portal where AppScan Source scans can be triggered and the results viewed.
Ideally this portal will be the front
end for a Continuous Integration environment which itself will be
integrated with a Version Control System (VCS) used not only for acquiring
the source code... [More]

Here is a pretty funny and / or really serious
(depending on your frame of reference) utility that exploits a low
level SMTP vulnerability by design. In effect, this allows one to send an email FROM ANY
ADRESS, as long as the domain doesn't actually exist. That may sound
like a tough restriction but I can testify that anything from a
realistic sounding new division name, theoretically something like
myboss@security.us.ibm.com ,
has a very high potential of being opened.
Link to the Utility in a Standalone Executable (with a cool... [More]

This post will be the first in a series
dedicated to providing initial support for a very common .NET
framework in use today, the ASP.NET MVC – specifically version 3.0 http://www.asp.net/mvc/mvc3 The lack of AppScan Source visibility
into this framework and any applications built using it was first
described in depth in this post by Dinis Cruz:
ASP.NET MVC Support in SAST and IBM F4F Given that there currently is not WAFL
support, i.e. a WAFL Generator has not yet been created to identify
the various constructs that need WAFL rules... [More]